search

Gamer - 5 - Forensics

hashtag
Task

Q1 - The attacker scanned a range of IPs, storing the results in a file for exfiltration. What's the full path of the output file, the count of active hosts, and the IP & Port used for exfiltration?

Q2 - The attacker established a new account for persistence. Can you disclose the name of the new account and its creation date, please? TimeStamp (UTC)

Format: 0xL4ugh{FullPath_Count_IP:Port_username_TimeStamp}

Example: 0xL4ugh{C:**\fileName.ext_0_127.0.0.1:1337_HackerAwyyy_DD-MM-YYYY_HH:MM:SS}

hashtag
Solution

From the content of Gamer - 1 task we know that:

An employee downloaded an unauthorized app on their work PC to play and chat with gamer friends, leading to a malware infection. Utilizing investigative skills, please identify the specific events that transpired in this scenario.

We get Challenge.7z archive:

szczygielka@hacks$ file Challenge.7z 
Challenge.7z: 7-zip archive data, version 0.4

After unpacking we get another archive Image.7z. Let's copy it to a Windows virtual machine and unpack it using 7-zip:

PS C:\Users\Szczygielka\Documents\Image> dir

    Directory: C:\Users\Szczygielka\Documents\Image


Mode                 LastWriteTime         Length Name
----                 -------------         ------ ----
d-----        07.01.2024     10:30                C
d-----        07.01.2024     10:30                LongFileNames
-a----        07.01.2024     10:29         317431 2024-01-07T092714_CopyLog.csv
-a----        07.01.2024     10:29          19607 2024-01-07T092714_SkipLog.csv

We got a C disk content.

We will use the FTK Imager to analyze its content. This tool can be downloaded from herearrow-up-right. In the C:\ directory we find a custom directory called T3MP. This directory contains 2 files, which are run.bat and run.ps1.

Let's take a look at the contents of the run.ps1 script:

The script contains a payload encoded with Base64. Let's decode it using CyberChef:

The content of the payload indicates that this script scans the IP address from 192.168.1.1to 192.168.1.17, checking with the Test-Connection cmdlet whether a given host is online. Test-Connection sends ICMP echo request packets or pings to the host. Host scan results are saved to a file:

Then the content of the file is read and encoded to Base64 and sent to the remote host with IP address and port:

Let's check the contents of the A52148.txt file to find out which hosts were active:

We can see that only 3 hosts were active. We get all the answers for the first task. Now we have to find information about the creation of a new account in the system.

We can use event logs to find an event of the creation user account. In Windows event logs are stored in C:\Windows\System32\winevt\logs. We can view event logs using Event Viewer. Due to Microsoft documentationarrow-up-right event responsible for creating a new user should have ID 4720. This type of event belongs to the category User Account Management. According to information from Wikipediaarrow-up-right, events in this category can be logged in Security Log. So let's open the Security Log by theEvent Viewer and let's search for events with ID 4720.

We find an event that indicates the creation of a new user account:

The username of the new account is:

We have the username of the created account, but we still do not have time of its creation.

To find the information about the time of the created account we could also use information collected in the register. Information connected with a user account, login information, and group information might be found in the Security Account Manager (SAM) hive. The majority of registry hives are located in the C:\Windows\System32\Config directory, also SAM hive. To view the contents of the registry hive we can use Registry Explorer. This tool can be downloaded from herearrow-up-right.

In the location SAM\Domains\Account\Users we can find the following information connected with user accounts:

We notice that the account of 7amoksha user was created on 2024-01-07 at 9:16:20. Let's change the account creation format to match the format in the flag:

Flag:

PreviousWordpress - 2 - ForensicsNext1753CTF 2024

Last updated